On January 14, 2009, I posted a Call for Papers (CFP) to Bugtraq for a Conference on Cyber Warfare. Within hours, I received an email from n3td3v, an infamous computer security commentator [1]:

How can you have a security conference on “cyber warfare” when it doesn't exist and has never taken place.

n3td3v has a point. Estimating the threat posed by cyber attacks is not easy. Case studies are few in number, much information lies outside the public domain, and there have been no wars – yet – between modern, cyber-capable militaries. While the era of cyber espionage is already here [2], a possible era of broad-scale cyber warfare still lies in the future [3].

Nevertheless, an examination of international affairs over the past two decades suggests that cyber battles of great consequence are easy to find. Since the earliest days of the World Wide Web, Chechen guerilla fighters, armed not only with rifles but with digital cameras and HTML, have clearly demonstrated the power of Internet-enabled propaganda. During the 1999 war over Kosovo, likely non-state actors tried to disrupt NATO military operations through computer hacking, and were able to claim minor victories [4]. In 2007, Syrian air defense was reportedly disabled by a cyber attack moments before the Israeli air force demolished an alleged Syrian nuclear reactor [5]. In 2009, the entire nation-state of Kyrgyzstan was knocked offline during a time of political crisis [6].

What military officers call the ‘battlespace’ grows more difficult to define – and to defend – over time. Advances in technology are normally evolutionary, but they can be revolutionary: artillery reached over the front lines of battle; rockets and airplanes crossed national boundaries; and today, cyber attacks can target political leadership, military systems, and average citizens anywhere in the world, during peacetime or war, with the added benefit of attacker anonymity.

Information Technology (IT) now pervades our lives. In 1965, Gordon Moore correctly predicted that the number of transistors on a computer chip would double every two years [7]. There has been concomitant growth in almost all aspects of IT, including the widespread availability of practical encryption, user-friendly hacker tools, and Web-enabled open source intelligence (OSINT). It should therefore no longer be surprising that political and military strategists use and abuse computers, databases, and the networks that connect them in order to achieve their objectives [8]. In the early 1980s, this concept was already known in the Soviet Union as the Military Technological Revolution (MTR); following the U.S. victory in the 1991 Gulf War, the Pentagon's Revolution in Military Affairs was almost a household term [9].

Cyberspace, narrowly defined, is a collection of networked computers. But the extent to which humans (and other computers) obtain their information and marching orders from somewhere in cyberspace grows by the day. This is in part what hackers call the expanding ‘attack surface’. In national security terms, the concepts of attack, defense, and security remain unchanged, as do the threats posed by adversary propaganda, espionage, and attacks on critical infrastructure. The difference is that traditional threats are now Internet-enabled; they employ a new delivery mechanism that can increase the speed, diffusion, and even the power of an attack. The cyber skirmishes we witness today likely foreshadow a long march that cyber warfare will make from a corollary of real-world disputes to a lead role in conflicts of the future.

This book consists of the research papers presented at the Cooperative Cyber Defense Centre of Excellence (CCD CoE) Conference on Cyber Warfare, which took place in Tallinn, Estonia, in June 2009. Individually and collectively, they explore the relationship between computer security and national security. Unsurprisingly, the devil is found in the details: the challenge of attribution, the calculation of damages, the security of critical infrastructure, ethics, jurisdiction, responsibility, and much more. This book is divided into two sections: Strategic Viewpoints and Technical Challenges and Solutions.

Strategic Viewpoints

Chapter 1: “Cyber Wars: A paradigm shift from Means to Ends.” Amit Sharma, from the Indian Ministry of Defence, argues that cyber warfare is different from other types of conflict, and merits its own set of rules. He warns against trying to fit cyber warfare into the traditional definitions found in the Law of Armed Conflict (LOAC). Sharma believes that it is easy to underestimate the strategic potential of cyber warfare, stating that cyber attacks alone are powerful enough to achieve political goals. In his view, cyber warfare will cease to be merely a force multiplier for conventional warfare; rather, conventional warfare will be used to support the objectives of cyber warfare. Sharma examines the legal treatment of nuclear weapons, and deterrence theory, for possible application in the cyber domain.

Chapter 2: “Towards an Evolving Theory of Cyberpower.” Dr. Stuart H. Starr, from the Center for Technology and National Security Policy (CTNSP) at the National Defense University (NDU), discusses the development of a theory of ‘cyberpower’ in research that systematically addresses five key areas: it defines the key terms that are associated with cyber issues; it categorizes the elements, constituent parts, and factors that yield a framework for thinking about cyberpower; it explains the major factors that are driving the evolution of cyberspace and cyberpower; it connects the various elements of cyberstrategy so that a policy maker can place issues in proper context; and it anticipates key changes in cyberspace that are likely to affect decision making.

Chapter 3: “Sub Rosa Cyber War.” Martin C. Libicki of the RAND Corporation explains that the battlefield terrain of cyberspace allows not only for stealthy attack and defense, but even for the existence of a stealthy war. Sub rosa cyber war is a conflict in which the warring parties do not publicly acknowledge battlefield victories and defeats, or even the existence of an ongoing war. Two reasons such a conflict is possible include the difficulty of good cyber battle damage assessment and the diabolical challenge of cyber attack attribution. Further, opponents may desire to keep a cyber conflict sub rosa in order to preserve freedom of action; public awareness and scrutiny could complicate negotiations or lead to unwanted escalation. Libicki cautions that sub rosa cyber war carries serious risks, such as insufficient operational oversight and a dubious assumption that the conflict is truly sub rosa to third parties.

Chapter 4: “Warfare and the Continuum of Cyber Risks: A Policy Perspective.” Andrew Cutts, the Director of Cyber Security Policy at the U.S. Department of Homeland Security, explains that nation-states are beginning to appreciate the potential benefits and costs of employing cyber attacks as a means of projecting national power. He offers a framework for evaluating national cyber security policy that includes prioritizing competing missions and balancing short- and long-term objectives. The focus of this chapter is on the long-term, strategic threat. To get ahead of the most serious cyber risks, national security leadership must strive to find the appropriate balance of resources, energy, and focus, specifically to distinguish between the most frequent threats and those that are the most consequential.

Chapter 5: “Cyber Terrorism: A New Dimension in Battlespace.” Major J. P. I. A. G. Charvat, from the Centre of Excellence Defence against Terrorism in Ankara, Turkey, examines the emerging threat of cyber terrorism. First, he discusses the phenomenon of terrorism and the motivations of terrorist organizations. Next, he explores the way terrorists now use IT to disseminate propaganda, to recruit new members, and to support conventional attacks. Finally, he considers the possibility that a terrorist organization might adopt a pure cyber attack strategy in an attempt to inflict electronic or physical damage.

Chapter 6: “Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?” Forrest Hare, from the School of Public Policy at George Mason University, writes that while cyberspace has no borders, nation-states do. Therefore, governments must consider how they will define and defend their sovereignty in this new domain. Crucially, Hare argues that governments should realize that to some degree they will be forced to coordinate and integrate their efforts on the international level. To help explore the nature of boundaries in cyberspace, this research makes use of two very different frameworks: the first is a comparison of the challenges of cyber security to international drug trafficking; the second employs game theory to support the cyber security decision-making process.

Chapter 7: “Towards a Global Regime for Cyber Warfare.” Dr. Rex Hughes, Co-Director of the Cyber Security Project, Chatham House, London, explains that when novel, disruptive technologies dramatically alter the nature of warfare, history shows that the likelihood of a new arms race is high. As more nations aspire to project national power in cyberspace, a digital arms race may be around the corner. Therefore, diplomats should find a coherent set of principles, rules, and norms to govern state security and military operations in cyberspace. Hughes argues that the most importat cyber challenge facing national security thinkers today concerns how to prevent a major arms race in this arena. This chapter introduces readers to the Law of Armed Conflict, examines how it might apply to cyber warfare, and outlines the steps required to create a global regime for cyber warfare.

Chapter 8: “What Analogies Can Tell Us About the Future of Cybersecurity.” David Sulek and Ned Moran of Booz Allen Hamilton examine the benefits and drawbacks of using historical analogies to understand cyber warfare. When such analogies are appropriately chosen and systematically applied, they can clarify the present situation and offer decision-makers strategic insight; vice versa, poor analogies obscure objectives, unnecessarily complicate choices, and create blind spots. In every case, analogies are bound to fail unless they incorporate objective analysis and their hand is not overplayed. The authors consider the well-known Electronic Pearl Harbor, and explore a range of new ideas: Cyber Katrina, Cyber Sputnik, Cyber Balkanization, Cyber Tribes, Cyber Conquistadors, and Cybernization.

Chapter 9: “The Information Sphere Domain – Increasing Understanding and Cooperation.” In this chapter, Dr. Patrick D. Allen (Johns Hopkins University, Applied Physics Lab) and Dennis P. Gilbert, Jr (Booz Allen Hamilton) write that a great advantage always accrues to a competitor who understands and operates within a domain better than their opponent. First, the authors define what constitutes a domain, and describe how new domains are created over time. Their research outlines the ‘Information Sphere’ domain, which has features that are both similar to and different from the four traditional, physical domains: air, land, sea, and space.

Chapter 10: “Sun Tzu was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack.” Billy K. Rios, of GreyLogic, LLC, examines the nuts and bolts of a real world, international cyber attack. Rios was in a unique position to witness the “communications, execution, and responses” of the cyber attackers and defenders in the 2008 war between Russia and Georgia. The author concludes that the availability and effectiveness of cyber attack tools ensure that data packets, fired purely on the battlefield terrain of computer networks, are likely to play a role in all future international conflicts. This research paper considers cyber attacks in the light of traditional concepts of maneuver warfare, as described in Marine Corps Doctrinal Publication 1 (MCDP-1).

Chapter 11: “Belarus in the Context of European Cyber Security.” Fyodor Pavlyuchenko, of www.charter97.org, examines the use of Internet censorship as a government tool that can be used to suppress political dissent within a nation-state. The author, representing one of the most popular – and hacked – online news sites in Belarus, catalogues a decade of cyber attacks that the site has suffered (usually during times of political tension). The author believes that the use of political DoS attacks threatens not only freedom of expression in Belarus, but the integrity of Internet resources in other European countries as well. Finally, he contends that the cyber conflict in Belarus is analogous to the ongoing struggle between state and non-state actors in Russia.

Chapter 12: “Politically Motivated Denial of Service Attacks.” Jose Nazario of Arbor Networks dissects DDoS attacks that have been used in support of political or ideological goals. He explains how DDoS attacks have evolved from a platform used to inflict “punitive damage” on a target to a sophisticated means of Internet censorship. Nazario uses extraordinary access to a wide range of data, including Internet backbone traffic, border gateway protocol (BGP) routing data, botnet communications, and community chatter, to create a compelling narrative. He concludes that while most Internet attackers appear to be non-state actors, they are nonetheless capable of using botnets of significant size and power to launch effective DDoS attacks.

Chapter 13: “A Brief Examination of Media Coverage of Cyberattacks (2007-Present).” Cyrus Farivar, a freelance technology journalist, critiques the media coverage of three politically-oriented cyber attacks: Kyrgyzstan (2009), Georgia (2008), and Estonia (2007). He reflects on where journalistic analysis was correct and where it was off the mark. On balance, he argues that there is enormous room for improvement, and that it is in the interest of the cyber security community, the media, and policymakers to improve their understanding of and their ability to write on the subject of cyber attacks, so that public understanding and appreciation of this new threat will increase. Technical Challenges and Solutions

Chapter 14: “Behavioral Analysis of Zombie Armies.” Olivier Thonnard, Wim Mees (both from the Royal Military Academy, Belgium) and Marc Dacier (Symantec Research Labs, France) present ground-breaking research on the behavior of ‘zombie armies’. They characterize the long-term behavior, global characteristics, strategic evolution, size, lifespan, and resilience of botnets. Their research highlights the uneven spatial distribution of infected computers across the Internet, specifically on a limited number of “unclean” or “zombie-friendly” networks. Most of the botnets they studied have an impressive attack capability in terms of bandwidth and the number of ways they are able to probe and exploit other computers; further, like real-world armies, they can coordinate their efforts with other botnets. Their analysis employed data from the European Union (EU)-funded WOMBAT project (Worldwide Observatory of Malicious Behaviors and Attack Threats).

Chapter 15: “Proactive Botnet Countermeasures – An Offensive Approach.” Felix Leder, Tillmann Werner, and Peter Martini, from the Institute of Computer Science IV, University of Bonn, Germany, contend that cyber defenders are at a disadvantage vis-à-vis attackers in part because computer science evolves too quickly for cyber law to keep up. In this chapter, the authors describe a technically feasible, proactive way to detect and defeat computer botnets, based on the assumption that reactive measures alone are insufficient. Their research formalizes botnet topologies, via real-world examples, and derives effective strategies for attacking them. However, they explain that their approach employs tactics that go well beyond what current cyber law encompasses, and argue that “controversial discussions” are needed to explore the political, legal, ethical, and liability-based ramifications of a proactive, counter-botnet approach – sooner rather than later.

Chapter 16: “When Not to Pull the Plug – The Need for Network Counter-Surveillance Operations.” Scott Knight and Sylvain Leblanc of the Royal Military College of Canada argue that one traditional response to a cyber attack – to immediately remove compromised machines from the network – has two primary drawbacks: it warns the intruder that he or she has been discovered, and it can prevent the collection of crucial evidence to help determine motive and estimate damage. The authors delineate a Network Counter-Surveillance Operation designed to maintain quiet contact with a hacker while information is gathered on intentions, techniques and more.

Chapter 17: “Autonomic Computer Network Defence Using Risk State and Reinforcement Learning.” Luc Beaudoin (Defense Research and Development Canada), Nathalie Japkowicz and Stan Matwin (both from the University of Ottawa) write that humans are simply not able to handle the complexity and speed of many forms of cyber attack, and that it is essential to automate certain aspects of traffic analysis and attack mitigation. They argue that a level of autonomic computer network defense can be achieved using reinforcement learning and dynamic risk assessment, with a view toward determining optimal action sequences (or policies) to recover from computer network risk situations. In their view, this approach will benefit commercial network management and security products by aiding in the selection of automatic mitigation actions, as risk states are sensed.

Chapter 18: “Enhancing Graph-based Automated DoS Attack Response.” Gabriel Klein, Marko Jahnke, Jens Tölle (all from FGAN-FKIE, Germany), and Peter Martini (University of Bonn, Germany) argue that timely and appropriate responses to DoS attacks are critical in both civilian and military settings. While intrusion detection systems (IDS) are capable of detecting DoS attacks, the growing sophistication and speed of such attacks increase the need for automated countermeasures to support computer network defense. Per force, it is necessary to quickly evaluate the potential effects of proposed countermeasures on network resources. This chapter discusses GrADAR, an intuitive, graph-based approach for automatically assessing the likely effects of DoS countermeasures on a network. Further, it proposes an enhancement which takes into account the effects of the workload on resource availability.

Chapter 19: “On n^th Order Attacks.” Daniel Bilar, from the University of New Orleans, USA, explores a class of cyber attack designed to subvert “mission-sustaining ancillary systems”. In technical terms, ancillary systems could be throughput control, visualization environments, memory resource allocation, manufacturing, and the supply chain; the purpose of such systems – and the real target of the attacker – is its political, military, or economic mission. The attacker's goal could be to disrupt power management, logistics, elections, or even the social welfare of the target. Bilar discusses historical, current and forward-looking examples, with special emphasis on attacks against computerized, open societies.

Chapter 20: “Business and Social Evaluation of Denial of Service Attacks in View of Scaling Economic Countermeasures.” Louis-Francois Pau, from the Copenhagen Business School and Rotterdam School of Management, writes that DoS attacks not only affect computer network resources; they can have a direct, negative impact on the bottom line of a business in the real world. This chapter proposes a method to determine the direct and indirect costs associated with DoS attacks, which is a necessary step in determining countermeasures aimed at legal- or policy-driven dissuasion, retaliation, compensation, and restoration. Dr. Pau's method relies on time-preference dynamics applied to monetary mass for the restoration of capabilities, on long-term investments to rebuild capabilities, and on the usability level of capabilities after an attack. A real-world example of a DoS attack on a corporate data centre is provided. In conclusion, the author gives specific policy recommendations and suggests information exchange requirements.

Chapter 21: “Virtual Plots, Real Revolution.” Roelof Temmingh (Paterva) and Kenneth Geers (NCIS/CCD CoE) investigate whether computer botnets could evolve from spam and Distributed Denial of Service (DDoS) generators to semantic creatures that could voice opinions, arguments, and even threats via the Internet. Key to their argument is the assumption that only a small percentage of information on the Web is truly unique. In theory, a malicious actor could create a virtual population of fraudulent identities from stolen and/or randomized biographies, pictures, and histories of Internet activity, which could be used to support a criminal, political, military or terrorist agenda. The increasingly impersonal nature of Internet communications will make timely threat evaluation difficult.

Many thanks to all who were involved in organizing the 2009 Conference on Cyber Warfare, and especially to Christian Czosseck, for his diligence in helping to edit this book.

Kenneth Geers, Tallinn, Estonia, August 7, 2009

References

[1] “Who is “n3td3v”?", Hacker Factor Solutions, White Paper, Release 1.4.1, 12-October-2006, www.hackerfactor.com/papers/who_is_n3td3v.pdf.

[2] “Espionage report: Merkel's China visit marred by hacking allegations”. Spiegel Online, August 27, 2007, http://www.spiegel.de/international/world/0,1518,502169,00.html; Cody, E. “Chinese official accuses nations of hacking”. Washington Post, September 13, 2007, http://www.washingtonpost.com/wpdyn/content/article/2007/09/12/AR2007091200791_pf.html#.

[3] However, this is already a point on which reasonable people can disagree: “How robot drones revolutionized the face of warfare”, Cable News Network (CNN), July 24, 2009. http://edition.cnn.com/2009/ WORLD/americas/07/23/wus.warfare.remote.uav/index.html.

[4] Geers, Kenneth. “Cyberspace and the Changing Nature of Warfare,” SC Magazine, August 27, 2008, http://www.scmagazineus.com/Cyberspace-and-the-changing-nature-of-warfare/article/115929/.

[5] Fulghum, David A., Wall, Robert, and Butler, Amy. “Cyber-Combat's First Shot,” Aviation Week & Space Technology. November 26, 2007. Vol. 167, Iss. 21, p. 28.

[6] Keizer, Gregg. “Russian ‘cyber militia’ knocks Kyrgyzstan offline”, Computerworld, 01/28/2009, www.networkworld.com/news/2009/012809-russian-cyber-militia-knocks-kyrgyzstan.html.

[7] “Moore's Law”, Intel Corporation, www.intel.com/technology/mooreslaw/.

[8] Adams, James. “Virtual Defense”, Foreign Affairs, May/June 2001, 80, 3, p. 98.

[9] Mishra, Shitanshu. “Network Centric Warfare in the Context of ‘Operation Iraqi Freedom''' Strategic Analysis, Vol. 27, No. 4, Oct-Dec 2003, Institute for Defence Studies and Analyses, http://www.idsa.in/publications/strategic-analysis/2003/oct/Shitanshu.pdf.